One for the IP gurus..

One for the IP gurus..

Post by Me » Fri, 02 Apr 2004 02:44:13



Here is a question.

What is a normal amount of "noise" on a network?

Let me give you the situation.

I have just co-located a server at an ISP, I noticed a constant inbound
traffic on my MRTG graph after it had been running on his network for a
while.

When I asked about it he said it was normal for there to be "noise" on
an internet connected network.

So I have done some testing.

I ran  "time tcpdump -c 100 -p broadcast" to see how long it would take
for 100 noise packets to be recieved ( in the sample none of the packets
were for my server ). This took 14.644 seconds.

This means that there are broadcasts on the network coming in at a rate
of 6.83 packets per second.

The majority of them are arp requests and if I am correct an arp request
is 28 Bytes plus the ethernet header of 14 Bytes. A total of 42 Bytes
per packet.

This means that at a rate of 6.83pps and a size of 42 Bytes over 30 days
it will consume about 743MB of bandwidth.. Since I pay for bandwidth
this is relevant.

So does this seem normal?

Has my ISP got a problem on their network?

Thanks.

 
 
 

One for the IP gurus..

Post by Alexander Cloute » Fri, 02 Apr 2004 08:47:08



Quote:> Here is a question.

> What is a normal amount of "noise" on a network?

The ISP I work for, at the moment on a per IP basis we get around 60kB per
day; however with all the recent worms and *the Microsoft seem to be
flaunting its sitting around 160kB/day (much much higher if they get
infected ;).

You should ignore the 'broadcast' packets as most will be linked to DHCP/ARP
requests and depend on how many hosts there are locally; you really want to
just type 'tethereal -p -n' (tethereal is much nicer than tcpdump) and use
that.  With your parameters for every IP address your machine will then do a
DNS lookup on.....

Cheers

Alex

Quote:> Let me give you the situation.

> I have just co-located a server at an ISP, I noticed a constant inbound
> traffic on my MRTG graph after it had been running on his network for a
> while.

> When I asked about it he said it was normal for there to be "noise" on
> an internet connected network.

> So I have done some testing.

> I ran  "time tcpdump -c 100 -p broadcast" to see how long it would take
> for 100 noise packets to be recieved ( in the sample none of the packets
> were for my server ). This took 14.644 seconds.

> This means that there are broadcasts on the network coming in at a rate
> of 6.83 packets per second.

> The majority of them are arp requests and if I am correct an arp request
> is 28 Bytes plus the ethernet header of 14 Bytes. A total of 42 Bytes
> per packet.

> This means that at a rate of 6.83pps and a size of 42 Bytes over 30 days
> it will consume about 743MB of bandwidth.. Since I pay for bandwidth
> this is relevant.

> So does this seem normal?

> Has my ISP got a problem on their network?

> Thanks.


 
 
 

One for the IP gurus..

Post by Me » Sat, 03 Apr 2004 03:19:26




>>Here is a question.

>>What is a normal amount of "noise" on a network?

> The ISP I work for, at the moment on a per IP basis we get around 60kB per
> day; however with all the recent worms and *the Microsoft seem to be
> flaunting its sitting around 160kB/day (much much higher if they get
> infected ;).

> You should ignore the 'broadcast' packets as most will be linked to DHCP/ARP
> requests and depend on how many hosts there are locally; you really want to
> just type 'tethereal -p -n' (tethereal is much nicer than tcpdump) and use
> that.  With your parameters for every IP address your machine will then do a
> DNS lookup on.....

> Cheers

> Alex

Hi,

My problem is that I will be paying for nearly 1 GB of traffic that is
being caused by broadcast traffic on the ISP's network, otherwise I
wouldn't worry about it..

Later..

- Show quoted text -

Quote:

>>Let me give you the situation.

>>I have just co-located a server at an ISP, I noticed a constant inbound
>>traffic on my MRTG graph after it had been running on his network for a
>>while.

>>When I asked about it he said it was normal for there to be "noise" on
>>an internet connected network.

>>So I have done some testing.

>>I ran  "time tcpdump -c 100 -p broadcast" to see how long it would take
>>for 100 noise packets to be recieved ( in the sample none of the packets
>>were for my server ). This took 14.644 seconds.

>>This means that there are broadcasts on the network coming in at a rate
>>of 6.83 packets per second.

>>The majority of them are arp requests and if I am correct an arp request
>>is 28 Bytes plus the ethernet header of 14 Bytes. A total of 42 Bytes
>>per packet.

>>This means that at a rate of 6.83pps and a size of 42 Bytes over 30 days
>>it will consume about 743MB of bandwidth.. Since I pay for bandwidth
>>this is relevant.

>>So does this seem normal?

>>Has my ISP got a problem on their network?

>>Thanks.

 
 
 

One for the IP gurus..

Post by Me » Sat, 03 Apr 2004 03:22:08




>>The majority of them are arp requests and if I am correct an arp request
>>is 28 Bytes plus the ethernet header of 14 Bytes. A total of 42 Bytes
>>per packet.

>>This means that at a rate of 6.83pps and a size of 42 Bytes over 30 days
>>it will consume about 743MB of bandwidth.. Since I pay for bandwidth
>>this is relevant.

> Unless your bandwidth accounting is done at your NIC, you will not likely be
> paying for bandwidth of arp requests. The bandwidth accounting is more
> likely done at the provider's router, and it's pretty unlikely that the arp
> requests are coming from the other side of the router.

It is showing up on the ISP's MRTG graph ( the one that will be used to
bill me ) as well so I assume they are billing on the switch interface
and not on the router as you suggested..

This means that I will be billed for this "noise" traffic..

Thanks for you thoughts, I think I must take it up with the ISP..

Later..

 
 
 

One for the IP gurus..

Post by P Gent » Sat, 03 Apr 2004 03:27:22



> Here is a question.

> What is a normal amount of "noise" on a network?

> Let me give you the situation.

> I have just co-located a server at an ISP, I noticed a constant inbound
> traffic on my MRTG graph after it had been running on his network for a
> while.

> When I asked about it he said it was normal for there to be "noise" on
> an internet connected network.

> So I have done some testing.

> I ran  "time tcpdump -c 100 -p broadcast" to see how long it would take
> for 100 noise packets to be recieved ( in the sample none of the packets
> were for my server ). This took 14.644 seconds.

> This means that there are broadcasts on the network coming in at a rate
> of 6.83 packets per second.

> The majority of them are arp requests and if I am correct an arp request
> is 28 Bytes plus the ethernet header of 14 Bytes. A total of 42 Bytes
> per packet.

> This means that at a rate of 6.83pps and a size of 42 Bytes over 30 days
> it will consume about 743MB of bandwidth.. Since I pay for bandwidth
> this is relevant.

> So does this seem normal?

> Has my ISP got a problem on their network?

> Thanks.

A.C. has some good points/suggestions.  To get a good eyeball of
what's going on you can run ethereal -- or on your server run tcpdump
and fetch the output to view in ethereal -- and capture _all_ the
traffic for, say 10 mins.  More time, bigger capture file but a
"better" snapshot.  Also do your capture during different parts of the
day/night to get a better "monthly avg" figure.

As is, however, your rate of _broadcasts_ -- which are limited to a
single net segment -- seems pretty high to me. If the route
tables/cache are working as they should and the arp cache is doing
it's job you should not be seeing this much host generated broadcast
traffic or MAC resolutions, IMHO.  Is the ISP using broadcasts to
maintain/monitor link connectivity?  Capturing all traffic for several
time periods should tell you this.  And be sure to note what protocols
are running on the wire.

Also, how you are tied into the network could be an issue.  Are you
connected by a router that you control?  If its the ISP's router they
may have cache size/timeout issues that are requiring excessive arp
requests/resolutions.  The same applies to you, of course, with your
router.  Capture all the traffic to make sure the ISP is not
generating "excessive" routing protocol traffic that is passing on
your uplink segment -- these can get out of line with a
misconfiguration somewhere and generate broadcasts.

If we're talking switches and VLANS, another beastie could be loose on
the segment that's creating bridging loops or some similar problem
when a particular MAC-IP tickles a stale or misconfigured entry.
These tend to be very spiky or overwhelming though -- doesn't seem to
be your case.

Main thing to do now is to do several captures of all traffic on the
effected interface and get a good eyeball impression of what's going
on.

hth,
prg
email above disabled

 
 
 

One for the IP gurus..

Post by Alexander Cloute » Sat, 03 Apr 2004 03:48:54



Quote:

> My problem is that I will be paying for nearly 1 GB of traffic that is
> being caused by broadcast traffic on the ISP's network, otherwise I
> wouldn't worry about it..

you probably want to take this up with your ISP then and give them a good
slap.  Ask if they take into account ARP packets.  ARP packets are no bigger
than 64 bytes (typically 40 bytes or so at a glance) and so it looks like you
are catering for six ARP packets a second (if the 1GB is over a month)!

Cheers

Alex

 
 
 

One for the IP gurus..

Post by Me » Sat, 03 Apr 2004 15:35:02




>>Here is a question.

>>What is a normal amount of "noise" on a network?

>>Let me give you the situation.

>>I have just co-located a server at an ISP, I noticed a constant inbound
>>traffic on my MRTG graph after it had been running on his network for a
>>while.

>>When I asked about it he said it was normal for there to be "noise" on
>>an internet connected network.

>>So I have done some testing.

>>I ran  "time tcpdump -c 100 -p broadcast" to see how long it would take
>>for 100 noise packets to be recieved ( in the sample none of the packets
>>were for my server ). This took 14.644 seconds.

>>This means that there are broadcasts on the network coming in at a rate
>>of 6.83 packets per second.

>>The majority of them are arp requests and if I am correct an arp request
>>is 28 Bytes plus the ethernet header of 14 Bytes. A total of 42 Bytes
>>per packet.

>>This means that at a rate of 6.83pps and a size of 42 Bytes over 30 days
>>it will consume about 743MB of bandwidth.. Since I pay for bandwidth
>>this is relevant.

>>So does this seem normal?

>>Has my ISP got a problem on their network?

>>Thanks.

> A.C. has some good points/suggestions.  To get a good eyeball of
> what's going on you can run ethereal -- or on your server run tcpdump
> and fetch the output to view in ethereal -- and capture _all_ the
> traffic for, say 10 mins.  More time, bigger capture file but a
> "better" snapshot.  Also do your capture during different parts of the
> day/night to get a better "monthly avg" figure.

> As is, however, your rate of _broadcasts_ -- which are limited to a
> single net segment -- seems pretty high to me. If the route
> tables/cache are working as they should and the arp cache is doing
> it's job you should not be seeing this much host generated broadcast
> traffic or MAC resolutions, IMHO.  Is the ISP using broadcasts to
> maintain/monitor link connectivity?  Capturing all traffic for several
> time periods should tell you this.  And be sure to note what protocols
> are running on the wire.

> Also, how you are tied into the network could be an issue.  Are you
> connected by a router that you control?  If its the ISP's router they
> may have cache size/timeout issues that are requiring excessive arp
> requests/resolutions.  The same applies to you, of course, with your
> router.  Capture all the traffic to make sure the ISP is not
> generating "excessive" routing protocol traffic that is passing on
> your uplink segment -- these can get out of line with a
> misconfiguration somewhere and generate broadcasts.

> If we're talking switches and VLANS, another beastie could be loose on
> the segment that's creating bridging loops or some similar problem
> when a particular MAC-IP tickles a stale or misconfigured entry.
> These tend to be very spiky or overwhelming though -- doesn't seem to
> be your case.

> Main thing to do now is to do several captures of all traffic on the
> effected interface and get a good eyeball impression of what's going
> on.

> hth,
> prg
> email above disabled

Thanks i will do that..
 
 
 

One for the IP gurus..

Post by Me » Sat, 03 Apr 2004 15:35:55




>>My problem is that I will be paying for nearly 1 GB of traffic that is
>>being caused by broadcast traffic on the ISP's network, otherwise I
>>wouldn't worry about it..

> you probably want to take this up with your ISP then and give them a good
> slap.  Ask if they take into account ARP packets.  ARP packets are no bigger
> than 64 bytes (typically 40 bytes or so at a glance) and so it looks like you
> are catering for six ARP packets a second (if the 1GB is over a month)!

> Cheers

> Alex

Exactly, thats why I was asking the question since 6pps of ARP traffice
seemed high.. I will be taking it up with my ISP..
 
 
 

1. Ip Route equalize w/ one machine via one ISP

I've got 2 DSL's lines I'm attempting to load balance.  I seem to have it
working but I want to add one more thing.  I want 10.0.2.252 to just go out
over eth0, ie., I don't want that machine to use the load balancing.
10.0.2.254 is the gateway.

INTERF0="eth0"
INTERF1="eth1"
NTSERV="10.0.2.252"

LOCALIP0=`cat /etc/dhcpc/dhcpcd-eth0.info | grep IPADDR | cut -c8-21`
LOCALIP1=`cat /etc/dhcpc/dhcpcd-eth1.info | grep IPADDR | cut -c8-21`

# Clear old masq's / forwards

${NET}/iptables -L -t nat
${NET}/iptables -F -t nat
${NET}/iptables -F INPUT
${NET}/iptables -F OUTPUT
${NET}/iptables -F FORWARD
${NET}/iptables -t nat -F POSTROUTING
${NET}/iptables -t nat -F PREROUTING

#  Setup IP Masq
echo 1 > /proc/sys/net/ipv4/ip_forward

ip rule add from XXX.XXX.253.158 lookup 1 dev eth1
ip route add 10.0.0.0/24 via 10.0.2.254 table 1
ip route add 0/0 table 1 dev eth1

ip rule add from XXX.XXX.253.52 lookup 2 dev eth0
ip route add 10.0.0.0/24 via 10.0.2.254 table 2
ip route add 0/0 table 2 dev eth0

ip route add default equalize \
   nexthop via XXX.XXX.253.1 dev eth1 \
    nexthop via XXX.XXX.253.1 dev eth0

${NET}/iptables -t nat -A POSTROUTING -o ${INTERF0} -j SNAT --to
${LOCALIP0}
${NET}/iptables -t nat -A POSTROUTING -o ${INTERF1} -j SNAT --to
${LOCALIP1}

If I add a 3rd table/lookup for 10.0.2.252 and then try to add a default
route for it.  I get a msg that it already exists???

TIA,
Mark

2. time limit on commands?

3. internet connection sharing or one network using one ip

4. Remote ufsdump/restore without usng .rhosts?

5. Multiple domains on one server with one ip addy...

6. ?

7. More than one IP address on one ethernet card?

8. Sound problem

9. How to have more than one IP addresses on one interface card?

10. Cant connect to one IP in network, but can every other one

11. Using more than one ip address on one eth-card

12. More than one IP-Adress on one Interface

13. RH5.2: Two NICs, one DHCP, one static IP